Low-cost wireless keyboards open to keystroke sniffing and injection attacks

Data from over 200 Pen Tests Shows Most Common Vulnerabilities. Learn more now.

Bastille Networks researcher Marc Newlin has discovered a set of security vulnerabilities in low-cost wireless keyboards that could be exploited to collect all passwords, security questions, sensitive personal, bank account and payment card info users input through them.

The problem with the vulnerable keyboards is that they don’t encrypt the keystroke data before they transmit it wirelessly to the USB dongle, and that’s because their manufacturers opted to use unencrypted radio communication protocols.

“Wireless keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme,” Newlin explained how the problem arose.

Aside from eavesdropping on the victim’s keystrokes, an attacker can also inject malicious keystroke commands into the victim’s computer, allowing him to perform actions like installing malware or exfiltrating data.

KeySniffer attack requirements

To perform the KeySniffer attack, an attacker can be several hundred feet away from the targeted device.

“The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing,” Newlin pointed out.

The equipment needed to perform the attack costs less than $100, meaning that anyone with enough knowledge and a little money can perform it.

Which keyboards are vulnerable to KeySniffer attacks?

Keyboards and associated USB dongles vulnerable to KeySniffer attacks are as follows:

Anker Ultra Slim 2.4GHz Wireless Compact Keyboard

EagleTec K104 / KS04 2.4 GHz Wireless Combo keyboard

General Electric’s GE 98614 wireless keyboard

Hewlett-Packard’s HP Wireless Classic Desktop wireless keyboard

Insignia’s Wireless Keyboard NS-PNC5011

Kensington ProFit Wireless Keyboard

RadioShack Slim 2.4GHz Wireless Keyboard

Toshiba PA3871U-1ETB wireless keyboard.

Other keyboards may also be vulnerable to the attack, but have not been tested. Bluetooth keyboards and higher-end wireless keyboards from manufacturers such as Logitech, Dell, and Lenovo are not susceptible to KeySniffer.

Newlin advises users to switch to Bluetooth or wired keyboards in order to protect themselves from keystroke sniffing and injection attacks. Higher-end wireless keyboards are also an option.

The transceivers used in the vulnerable keyboards do not support firmware updates, so they will remain vulnerable forever. The vendors of each of them have been notified of this issue, but have yet to respond.